Apple Cupertino announces to startup official Bug Bounty Program in 2016

New Apple (Cupertino) Bug Bounty Program Upcoming in 2016

As part of a security presentation given at this year's Black Hat conferences, Apple announced that it would be starting up a new bug bounty program for cupertino products. The offical bug bounty program will reward security researchers who uncover vulnerabilities in Apple's products and bring them to the company's attention. The scopes of the bug bounty programs are clearly defined by the apple product security team in the public ahead to the basic start-up of the full program.

• Secure boot firmware components: Up to $200,000
• Extraction of confidential material protected by the Secure Enclave: Up to $100,000
• Execution of arbitrary code with kernel privileges: Up to $50,000
• Access from a sandboxed process to user data outside of that sandbox: Up to $25,000
• Unauthorized access to iCloud account data on Apple servers: Up to $50,000

Researchers who want to claim the bounties will need to submit a report to Apple (Cupertino) with a valid proof-of-concept exploit or code that works on the latest stable version of iOS. If the bugs are hardware-related , the proof-of-concept must impact to work also on the latest shipping iPhone or iPad hardware. The payment amounts for a valid bug bounty as reward outlined above are upper limits. Actual payments will depend on the novelty of the issue and how likely the zero-day vulnerability can be exploited by local/remote attackers.

Researchers are also informed about to not disclose the zero-day vulnerabilities or bugs before Apple (Cupertino) has time to patch them in a serious cycle. The company would only say it would fix them as soon as possible and wouldn't commit to any firm a time window. Once the fix is published, researchers will be given credit like in the basic security acknowledgement pages of apple.

Apple says in a public meeting it is implementing it bounty program as part because bugs are becoming harder to find, but these programs also deter researchers from selling those bugs to other companies, governments, or individuals who might want to exploit them. The official Apple bug bounty program will start small and more slowly then expected to expand permanently over time.
The following statement has been issued by Ivan Krstic a security engineer at apple cupertino.

The text about the company request with the time frames that was denied, is a direction to the permanently forcing requests for updates on apple or cupertino by the independent community. Thanks for the changes, we are all happy to watch and participate in the upcoming program.

Reference(s):

https://www.blackhat.com/us-16/briefings.html#behind-the-scenes-of-ios-security